Brekeke SIP Server Wiki


This section describes how to configure Brekeke SIP Server security features. These features can protect your service against attacks or unauthorized use.


Administration Tool

To avoid a takeover of the server, please change the password for Administration Tool at [Configuration] > [Password] page. Its default password is “sa”.


SIP Authentication

There are two ways to enable SIP Authentication. One is for the entire server. Another is for certain SIP requests.To use SIP Authentication, an administrator needs to add users in the [User Authentication] page. Please refer to the section “Set up SIP-UA” for more details


SIP Authentication for all INVITE/REGISTER requests

Please enable SIP Authentication at the [Configuration] > [SIP] page. This setting affects all of INVITE / REGISTER requests.

Item Setting Value Explanation
REGISTER on Authenticates REGISTER requests.
INVITE on Authenticates INVITE requests.


SIP Authentication for certain requests

The server can authenticate a certain SIP request by using $auth variable in the Dial Plan.

The $auth variable determines whether to authenticate the matched request or not. If the value is “true”, the server authenticates the request. If the value is “false”, the server does not authenticate the request.

Example-1: Authenticate SUBSCRIBE requests.

  Matching Patterns   Deploy Patterns
$request = ^SUBSCRIBE $auth = true

$continue = true

At [Configuration] > [SIP] page, there is also authentication setting for MESSAGE and SUBSCRIBE requests.


Example-2: Don’t authenticate INVITE requests if it comes from 192.168.0.x.

  Matching Patterns   Deploy Patterns
$request = ^INVITE

$addr = ^192.168.0

$auth = false

$continue = true


Block a non-registered user’s INVITE request

To block non- registered users, the following sample Dial Plan rules will help you.


Example-1: If a client is not registered in the server, its INVITE request will be rejected with “403 Forbidden” response.

  Matching Patterns   Deploy Patterns
$request = ^INVITE

$registeredSender = false

$action = 403


Example-2: If a client’s registered IP address and port do not match with request’s remote IP address and port, the request will be rejected with “403 Forbidden” response.

  Matching Patterns   Deploy Patterns
$request = ^INVITE

$addrport = (.+)

$regAddr(From) =! %1

$action = 403


Block Malicious Activities with Block List

From Brekeke SIP Server v3.2, Block List feature can be used to define filter policy and block policy to detect malicious activities by the frequency of SIP attempts and add the source IP of these suspicious attempts to blocked IP database. Also, with block action preliminary dial plan rules, Brekeke SIP Server can block malicious activities by checking SIP headers and also add their source IP to blocked IP database.



See Also:
Yes No
Suggest Edit